CVE-2024-6972
📋 TL;DR
Octopus Server versions before 2024.2.10998 may expose sensitive variables like passwords and API keys in task logs in clear-text under certain circumstances. This affects organizations using Octopus Deploy for deployment automation where sensitive variables are configured. Attackers with access to task logs could steal credentials and escalate privileges.
💻 Affected Systems
- Octopus Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full credential compromise leading to complete system takeover, data exfiltration, and lateral movement across infrastructure.
Likely Case
Exposure of API keys, database passwords, or deployment credentials allowing unauthorized access to connected systems.
If Mitigated
Limited exposure of non-critical variables if proper access controls and logging restrictions are implemented.
🎯 Exploit Status
Requires authenticated access to Octopus Server interface to view task logs where variables may be exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.2.10998 and later
Vendor Advisory: https://advisories.octopus.com/post/2024/sa2024-06/
Restart Required: Yes
Instructions:
1. Backup Octopus Server configuration and database. 2. Download and install Octopus Server version 2024.2.10998 or later from official Octopus Deploy website. 3. Run the installer and follow upgrade prompts. 4. Restart Octopus Server service after installation completes.
🔧 Temporary Workarounds
Restrict Task Log Access
allLimit access to task logs through Octopus permissions and restrict viewing to only necessary users.
Configure via Octopus Web Portal: Settings -> Users -> Permissions -> Restrict 'TaskView' and 'TaskViewLog' permissions
Audit Sensitive Variables
allReview and minimize use of sensitive variables in deployments, using alternative secure storage where possible.
Review all projects: Variables -> Sensitive variables section
🧯 If You Can't Patch
- Implement strict access controls to Octopus Server interface and task logs
- Regularly audit task logs for exposed credentials and rotate any potentially compromised secrets
🔍 How to Verify
Check if Vulnerable:
Check Octopus Server version in web interface (Configuration -> About) or run: 'Octopus.Server.exe show-configuration --format=json' and check Version value.Check Version:
Octopus.Server.exe show-configuration --format=json | grep VersionVerify Fix Applied:
Confirm version is 2024.2.10998 or later and test that sensitive variables are properly masked in task logs.📡 Detection & Monitoring
Log Indicators:
- Clear-text passwords, API keys, or other sensitive variables appearing in Octopus task logs
Network Indicators:
- Unauthorized access patterns to Octopus Server task log endpoints
SIEM Query:
source="octopus-server" AND ("password" OR "api_key" OR "secret") AND log_level="INFO"